Add ports and hostname correctly in kube yaml #14181
Conversation
openshift-ci
bot
added
the
approved
|
LGTM |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: giuseppe, umohnani8 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
libpod/kube.go
Outdated
| ctr.Ports = ports | ||
| first = false | ||
| // infra container, wipe them here only if we are not sharing the ipc namespace | ||
| if !p.SharesIPC() { |
There was a problem hiding this comment.
Why is this ipc namespace? This looks like it should check for the netns. Ports can only be used when there is a netns, this is not related to the ipc namespace.
There was a problem hiding this comment.
I think we need to come to a consensus on when we allow containers to expose different ports in a pod.
We currently error out when --share is set to uts, net, and the default value(ipc,net,uts).
➜ podman git:(kube-hostname) ✗ ./bin/podman pod create --name mypod
=====s.NetNS.NSMode: slirp4netns
4fda91cfcc0e6cf5cd48e2ec2f81649a9217d5e6cb6b77e3ec2cc5ffe4802176
➜ podman git:(kube-hostname) ✗ ./bin/podman run --name ss_02 --pod mypod --hostname test -p 5000:6000 -d fedora
=====s.NetNS.NSMode: pod
Error: invalid config provided: published or exposed ports must be defined when the pod is created: network cannot be configured when it is shared with a pod
➜ podman git:(kube-hostname) ✗ ./bin/podman pod create --name mypod --share uts
=====s.NetNS.NSMode: slirp4netns
2293b04ed355ed2338cc1883dd3917bdaec2abbb05cb6f1258a9d9ff150d9603
➜ podman git:(kube-hostname) ✗ ./bin/podman run --name ss_02 --pod mypod --hostname test -p 5000:6000 -d fedora
=====s.NetNS.NSMode: slirp4netns
Error: invalid config provided: cannot set hostname when joining the pod UTS namespace: invalid configuration
➜ podman git:(kube-hostname) ✗ ./bin/podman pod create --name mypod --share net
=====s.NetNS.NSMode: slirp4netns
f2b5169bc3d3599e0110009bee534d73b3e732108ce3161452c73ae7474ac249
➜ podman git:(kube-hostname) ✗ ./bin/podman run --name ss_02 --pod mypod --hostname test -p 5000:6000 -d fedora
=====s.NetNS.NSMode: pod
Error: invalid config provided: published or exposed ports must be defined when the pod is created: network cannot be configured when it is shared with a pod
But it works fine with pid and ipc
➜ podman git:(kube-hostname) ✗ ./bin/podman pod create --name mypod --share pid
=====s.NetNS.NSMode: slirp4netns
f4c4a3ab9f9ad58e6037fd9db6cee170a01e4dc9d3bb3ec272799968742485ec
➜ podman git:(kube-hostname) ✗ ./bin/podman run --name ss_02 --pod mypod --hostname test -p 5000:6000 -d fedora
=====s.NetNS.NSMode: slirp4netns
c97df4f323dc13ec368798d381ba694685f6b999c5f77113260c18c9ef716eb2
➜ podman git:(kube-hostname) ✗ ./bin/podman pod create --name mypod --share ipc
=====s.NetNS.NSMode: slirp4netns
ee955b9ef17d8039e414cb9375897fe9c5baab3d0389b231191e3eca5fe14bdd
➜ podman git:(kube-hostname) ✗ ./bin/podman run --name ss_02 --pod mypod --hostname test -p 5000:6000 -d fedora
=====s.NetNS.NSMode: slirp4netns
ce3aa72735d21a06aae21eb58bc06725e4d3f379e0e4e73dfd81ea41058432d3
Should we always require ports to be defined at the pod level only regardless of which kernel namespaces the pod will share?
There was a problem hiding this comment.
We should match kubernetes, Can I have two different containers in a Pod listen on differnet ports blocked to the other container.
There was a problem hiding this comment.
that all depends on whenever the netns is shared or not, if there is no shared netns then you could add ports to the pod(infra container) but since no container uses the namespace they will not have the same ports. Thefore ports must be per container.
If the netns is shared the ports should only be set on the pod(infra container).
Either way this has nothing to do with the ipc namespace.
There was a problem hiding this comment.
Containers in a kubernetes pod share the network and ipc namespaces by default. You can set separate ports for each container in a pod, it is actually recommended to do that to separate the incoming traffic to each container.
It seems like podman pods has a requirement of defining all the ports at pod creation to associate them with the infra container and a patch was introduced to ensure that. But from testing, I noticed that we only error out when certain kernel namespaces are shared and not on others.
@Luap99 so basically, we should only enforce port being added at pod creation when only netns is shared. If any other namespace is shared, it should be fine to allow separate ports for each container?
cc @mheon
There was a problem hiding this comment.
One more thing to note is, podman pod's default is different. We share uts, net, and ipc by default.
There was a problem hiding this comment.
Just make sure this warning does not happen by default, just if users muck around with --share flag.
There was a problem hiding this comment.
Doesn't kubernetes share uts, net and ipc by default? They also share User Namespace by defaut, but don't mention that...
There was a problem hiding this comment.
Yup, that is true my bad. I didn't see it in their docs. Alright I will log a warning if anyone messes with --share and will add the restriction to --hostname. Thanks!
|
@umohnani8 Any movment on this or do you want to hand this off to an intern? |
If a pod is created without net sharing, allow adding separate ports for each container to the kube yaml and also set the pod level hostname correctly if the uts namespace is not being shared. Add a warning if the default namespace sharing options have been modified by the user. Signed-off-by: Urvashi Mohnani <[email protected]>
|
Made the requested changes and tests are basically green. |
|
LGTM |
|
LGTM |
|
/lgtm |
github-actions
bot
added
the
locked - please file new issue/PR
If a pod is created with ipc sharing, allow adding
separate ports for each container to the kube yaml
and also set the pod level hostname correctly.
Signed-off-by: Urvashi Mohnani [email protected]
Fixes #13030
Does this PR introduce a user-facing change?